W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: #328: user Intervention on Redirects

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 17 Feb 2012 15:19:33 -0800
Message-ID: <CAJE5ia9i77xJ3pbtNLm5h36yZrkBd+e95ogqZ7srAFMAgjc0Vw@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Henrik Nordström <henrik@henriknordstrom.net>, Julian Reschke <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
2012/2/17 Martin Thomson <martin.thomson@gmail.com>:
> 2012/2/15 Henrik Nordström <henrik@henriknordstrom.net>:
>> tis 2012-02-07 klockan 08:38 -0800 skrev Martin Thomson:
>>
>>> There isn't a security problem.  X has the information and could
>>> forward to Y itself.
>>
>> No it doesn't. Y may require authentication / session cookies / IP based
>> access lists etc which X can not provide on it's own.
>
> Damn, I can be dense sometimes.  Obviously, if I can convince you to
> send me a POST that says "transfer $10 to acct number X" (which is
> trivially easy) and then redirect you to your bank, if you have an
> open session and the bank doesn't check Referer (though that wouldn't
> necessarily help), you've just made an easy $10.
>
> Are there any measures that browsers could take to limit this sort of
> thing?

You're describing a CSRF attack.  There is a moderate size literature
about possible browser solutions to CSRF, but none of them have caught
on.  In the meantime, web site defend themselves against this attack
using secret tokens.

For more details, please see
<http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf>.

Adam
Received on Friday, 17 February 2012 23:20:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:56 GMT